We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.

Malware of the Trojan-Ransom class can be divided into the following categories:

Applications that restrict Internet access

This category includes the Trojan-Ransom.Win32.Digitala family of malware:

Get Accelerator

Digital Access

Get Access

Download Manager v1.34

Ilite Net Accelerator

These ransomware applications block Internet access, displaying a message on the screen that the license agreement has been breached and that the user must send an SMS with a code to the number specified:

This malware can appear on a user’s computer if:

The user independently starts the installation of a malicious application that presents itself as legal.

The malicious application is downloaded without the user’s knowledge by another malicious application.

If the issue persists, submit a request to Kaspersky technical support via My Kaspersky.
For instructions on using My Kaspersky, see the Online Help page.

Applications that restrict browser functionality

The most well-known malware in this category: Trojan-Ransom.Win32.Hexzone and Trojan-Ransom.Win32.BHO These applications cause a pop-up window to appear that completely blocks the browser window and demands a ransom payment. This window cannot be closed.

How to eliminate an infection

Method 1

Method 2

If you are unable to download a free Kaspersky utility, check the extensions installed in your browser settings and remove any that seem suspicious. Pay attention to extensions that have nothing specified in the Publisher column, or which display the status Not Verified. These should be checked first. Follow the nstructions:

After removing the extension, install a Kaspersky application to prevent being infected again in the future.

If the issue persists, submit a request to Kaspersky technical support via My Kaspersky.
For instructions on using My Kaspersky, see the Online Help page.

Applications that restrict access to websites

The malware Trojan-Ransom.BAT.Agent.c is an example. This application modifies the “hosts” system file and blocks access to over 200 websites. If your computer is infected by the Trojan-Ransom.BAT.Agent.c malware, you will see a window with a ransom demand when opening a website instead of the page you were expecting.

If the issue persists, submit a request to Kaspersky technical support via My Kaspersky.
For instructions on using My Kaspersky, see the Online Help page.

Applications that block access to operating system resources

Applications from this category block access to operating system resources. When the applications run, you will see a window on the screen demanding a ransom payment that cannot be closed or minimized.

How to eliminate an infection

Method 1

Use the free Kaspersky WindowsUnlocker utility to unlock the Windows operating system. This utility is included with Kaspersky Rescue Disk.

Method 2

If you are unable to download and run a Kaspersky utility, kill the malicious process manually. If a computer is in the network, connect to it remotely using the standard WMIC administration tools (Windows Management Instrumentation Command-line):

On the remote computer, press Win + R on the keyboard. For instructions on connecting to a computer remotely, see the Microsoft support website.

Enter the command cmd and click OK.

Run the command:

wmic /NODE:<computer name or network address> /USER:<username on infected machine>

For example: wmic /NODE:192.168.10.128 /USER:Analyst

Enter the password for the user of the blocked computer.

Run the process command.

Find the suspicious process in the list concerning the operating system and applications. For example: aers0997.exe

Run the command:

process where name=”<name of malicious process>” delete

For example: process where name=”aers0997.exe” delete.

Wait until the window with the ransom demand has disappeared from the locked computer.

To prevent against further infection in the future, install a Kaspersky application and run a scan of the computer.

After entering the password, the command prompt window will appear. From the command prompt window you can run any utility or application. Use the free Autoruns utility to search for malware.

If the issue persists, submit a request to Kaspersky technical support via My Kaspersky.
For instructions on using My Kaspersky, see the Online Help page.

Applications that restrict the user’s actions in the operating system

Examples of this type of malware are the Trojan-Ransom.Win32.Taras.e and Trojan-Ransom.Win32.Krotten applications. These applications modify system settings, for example, preventing the system registry being edited or the Task Manager from launching.

Method 2

Copy all important files so they are not lost when the user’s profile is deleted.

Delete the blocked user’s profile. See the Microsoft support website for instructions.

Create a new user profile and sign in to the system.

If the issue persists, submit a request to Kaspersky technical support via My Kaspersky.
For instructions on using My Kaspersky, see the Online Help page.

Applications that encrypt the user’s files

Examples of this type of malware are the Trojan-Ransom.Win32.GPCode and Trojan-Ransom.Win32.Encore applications. These ransomware applications encrypt the user’s data and demand a ransom for restoring access to it. The ransom conditions are displayed on the Desktop or located in a text file in each folder that contains encrypted files.

How to restore files

To decrypt files, send a request to Kaspersky technical support via the My Kaspersky portal. Include a detailed description of the issue in your request and attach the encrypted files.
For instructions on using My Kaspersky, see the Online Help page.

Kaspersky specialists cannot guarantee that damaged files can be decrypted.

Applications that intercept the user’s requests in the browser

An example of this type of malware is Trojan-Ransom.Win32.Cidox. This malware is embedded into the browser processes and intercepts requests made by the user.